Bill Text: FL S1170 | 2020 | Regular Session | Comm Sub
Bill Title: Public Records and Meetings/Division of State Technology
Spectrum: Slight Partisan Bill (Republican 2-1)
Status: (Introduced - Dead) 2020-03-09 - Laid on Table, refer to CS/CS/HB 821 [S1170 Detail]
Download: Florida-2020-S1170-Comm_Sub.html
Florida Senate - 2020 CS for SB 1170
By the Committee on Governmental Oversight and Accountability;
and Senators Baxley and Hutson
585-03006-20 20201170c1
1 A bill to be entitled
2 An act relating to public records and meetings;
3 amending s. 282.318, F.S.; revising a provision to
4 reflect the abolishment of the Agency for State
5 Technology; providing an exemption from public records
6 requirements for portions of records held by a state
7 agency which contain network schematics, hardware and
8 software configurations, or encryption; removing the
9 scheduled repeal of a certain public records
10 exemption; providing an exemption from public meetings
11 requirements for portions of meetings which would
12 reveal certain records; requiring the recording and
13 transcription of exempt portions of such meetings;
14 providing an exemption from public records
15 requirements for such recordings and transcripts;
16 providing an exception; revising applicability of
17 provisions requiring and authorizing certain records
18 to be made available to certain entities; providing
19 for future legislative review and repeal under the
20 Open Government Sunset Review Act of the exemptions;
21 providing for retroactive application of the
22 exemptions; providing statements of public necessity;
23 providing an effective date.
24
25 Be It Enacted by the Legislature of the State of Florida:
26
27 Section 1. Section 282.318, Florida Statutes, is amended to
28 read:
29 282.318 Security of data and information technology.—
30 (1) This section may be cited as the “Information
31 Technology Security Act.”
32 (2) As used in this section, the term “state agency” has
33 the same meaning as provided in s. 282.0041, except that the
34 term includes the Department of Legal Affairs, the Department of
35 Agriculture and Consumer Services, and the Department of
36 Financial Services.
37 (3) The department is responsible for establishing
38 standards and processes consistent with generally accepted best
39 practices for information technology security, to include
40 cybersecurity, and adopting rules that safeguard an agency’s
41 data, information, and information technology resources to
42 ensure availability, confidentiality, and integrity and to
43 mitigate risks. The department shall also:
44 (a) Designate a state chief information security officer
45 who must have experience and expertise in security and risk
46 management for communications and information technology
47 resources.
48 (b) Develop, and annually update by February 1, a statewide
49 information technology security strategic plan that includes
50 security goals and objectives for the strategic issues of
51 information technology security policy, risk management,
52 training, incident management, and disaster recovery planning.
53 (c) Develop and publish for use by state agencies an
54 information technology security framework that, at a minimum,
55 includes guidelines and processes for:
56 1. Establishing asset management procedures to ensure that
57 an agency’s information technology resources are identified and
58 managed consistent with their relative importance to the
59 agency’s business objectives.
60 2. Using a standard risk assessment methodology that
61 includes the identification of an agency’s priorities,
62 constraints, risk tolerances, and assumptions necessary to
63 support operational risk decisions.
64 3. Completing comprehensive risk assessments and
65 information technology security audits, which may be completed
66 by a private sector vendor, and submitting completed assessments
67 and audits to the department.
68 4. Identifying protection procedures to manage the
69 protection of an agency’s information, data, and information
70 technology resources.
71 5. Establishing procedures for accessing information and
72 data to ensure the confidentiality, integrity, and availability
73 of such information and data.
74 6. Detecting threats through proactive monitoring of
75 events, continuous security monitoring, and defined detection
76 processes.
77 7. Establishing agency computer security incident response
78 teams and describing their responsibilities for responding to
79 information technology security incidents, including breaches of
80 personal information containing confidential or exempt data.
81 8. Recovering information and data in response to an
82 information technology security incident. The recovery may
83 include recommended improvements to the agency processes,
84 policies, or guidelines.
85 9. Establishing an information technology security incident
86 reporting process that includes procedures and tiered reporting
87 timeframes for notifying the department and the Department of
88 Law Enforcement of information technology security incidents.
89 The tiered reporting timeframes shall be based upon the level of
90 severity of the information technology security incidents being
91 reported.
92 10. Incorporating information obtained through detection
93 and response activities into the agency’s information technology
94 security incident response plans.
95 11. Developing agency strategic and operational information
96 technology security plans required pursuant to this section.
97 12. Establishing the managerial, operational, and technical
98 safeguards for protecting state government data and information
99 technology resources that align with the state agency risk
100 management strategy and that protect the confidentiality,
101 integrity, and availability of information and data.
102 (d) Assist state agencies in complying with this section.
103 (e) In collaboration with the Cybercrime Office of the
104 Department of Law Enforcement, annually provide training for
105 state agency information security managers and computer security
106 incident response team members that contains training on
107 information technology security, including cybersecurity,
108 threats, trends, and best practices.
109 (f) Annually review the strategic and operational
110 information technology security plans of executive branch
111 agencies.
112 (4) Each state agency head shall, at a minimum:
113 (a) Designate an information security manager to administer
114 the information technology security program of the state agency.
115 This designation must be provided annually in writing to the
116 department by January 1. A state agency’s information security
117 manager, for purposes of these information security duties,
118 shall report directly to the agency head.
119 (b) In consultation with the department and the Cybercrime
120 Office of the Department of Law Enforcement, establish an agency
121 computer security incident response team to respond to an
122 information technology security incident. The agency computer
123 security incident response team shall convene upon notification
124 of an information technology security incident and must comply
125 with all applicable guidelines and processes established
126 pursuant to paragraph (3)(c).
127 (c) Submit to the department annually by July 31, the state
128 agency’s strategic and operational information technology
129 security plans developed pursuant to rules and guidelines
130 established by the department.
131 1. The state agency strategic information technology
132 security plan must cover a 3-year period and, at a minimum,
133 define security goals, intermediate objectives, and projected
134 agency costs for the strategic issues of agency information
135 security policy, risk management, security training, security
136 incident response, and disaster recovery. The plan must be based
137 on the statewide information technology security strategic plan
138 created by the department and include performance metrics that
139 can be objectively measured to reflect the status of the state
140 agency’s progress in meeting security goals and objectives
141 identified in the agency’s strategic information security plan.
142 2. The state agency operational information technology
143 security plan must include a progress report that objectively
144 measures progress made towards the prior operational information
145 technology security plan and a project plan that includes
146 activities, timelines, and deliverables for security objectives
147 that the state agency will implement during the current fiscal
148 year.
149 (d) Conduct, and update every 3 years, a comprehensive risk
150 assessment, which may be completed by a private sector vendor,
151 to determine the security threats to the data, information, and
152 information technology resources, including mobile devices and
153 print environments, of the agency. The risk assessment must
154 comply with the risk assessment methodology developed by the
155 department and is confidential and exempt from s. 119.07(1),
156 except that such information shall be available to the Auditor
157 General, the Division of State Technology within the department,
158 the Cybercrime Office of the Department of Law Enforcement, and,
159 for state agencies under the jurisdiction of the Governor, the
160 Chief Inspector General.
161 (e) Develop, and periodically update, written internal
162 policies and procedures, which include procedures for reporting
163 information technology security incidents and breaches to the
164 Cybercrime Office of the Department of Law Enforcement and the
165 Division of State Technology within the department. Such
166 policies and procedures must be consistent with the rules,
167 guidelines, and processes established by the department to
168 ensure the security of the data, information, and information
169 technology resources of the agency. The internal policies and
170 procedures that, if disclosed, could facilitate the unauthorized
171 modification, disclosure, or destruction of data or information
172 technology resources are confidential information and exempt
173 from s. 119.07(1), except that such information shall be
174 available to the Auditor General, the Cybercrime Office of the
175 Department of Law Enforcement, the Division of State Technology
176 within the department, and, for state agencies under the
177 jurisdiction of the Governor, the Chief Inspector General.
178 (f) Implement managerial, operational, and technical
179 safeguards and risk assessment remediation plans recommended by
180 the department to address identified risks to the data,
181 information, and information technology resources of the agency.
182 (g) Ensure that periodic internal audits and evaluations of
183 the agency’s information technology security program for the
184 data, information, and information technology resources of the
185 agency are conducted. The results of such audits and evaluations
186 are confidential information and exempt from s. 119.07(1),
187 except that such information shall be available to the Auditor
188 General, the Cybercrime Office of the Department of Law
189 Enforcement, the Division of State Technology within the
190 department, and, for agencies under the jurisdiction of the
191 Governor, the Chief Inspector General.
192 (h) Ensure that the information technology security and
193 cybersecurity requirements in both the written specifications
194 for the solicitation and service-level agreement of information
195 technology and information technology resources and services
196 meet or exceed the applicable state and federal laws,
197 regulations, and standards for information technology security
198 and cybersecurity. Service-level agreements must identify
199 service provider and state agency responsibilities for privacy
200 and security, protection of government data, personnel
201 background screening, and security deliverables with associated
202 frequencies.
203 (i) Provide information technology security and
204 cybersecurity awareness training to all state agency employees
205 in the first 30 days after commencing employment concerning
206 information technology security risks and the responsibility of
207 employees to comply with policies, standards, guidelines, and
208 operating procedures adopted by the state agency to reduce those
209 risks. The training may be provided in collaboration with the
210 Cybercrime Office of the Department of Law Enforcement.
211 (j) Develop a process for detecting, reporting, and
212 responding to threats, breaches, or information technology
213 security incidents which is consistent with the security rules,
214 guidelines, and processes established by the Division of State
215 Technology within the department Agency for State Technology.
216 1. All information technology security incidents and
217 breaches must be reported to the Division of State Technology
218 within the department and the Cybercrime Office of the
219 Department of Law Enforcement and must comply with the
220 notification procedures and reporting timeframes established
221 pursuant to paragraph (3)(c).
222 2. For information technology security breaches, state
223 agencies shall provide notice in accordance with s. 501.171.
224 (5)3. Portions of records held by a state agency which
225 contain network schematics, hardware and software
226 configurations, or encryption, or which identify detection,
227 investigation, or response practices for suspected or confirmed
228 information technology security incidents, including suspected
229 or confirmed breaches, are confidential and exempt from s.
230 119.07(1) and s. 24(a), Art. I of the State Constitution, if the
231 disclosure of such records would facilitate unauthorized access
232 to or the unauthorized modification, disclosure, or destruction
233 of:
234 (a)a. Data or information, whether physical or virtual; or
235 (b)b. Information technology resources, which includes:
236 1.(I) Information relating to the security of the agency’s
237 technologies, processes, and practices designed to protect
238 networks, computers, data processing software, and data from
239 attack, damage, or unauthorized access; or
240 2.(II) Security information, whether physical or virtual,
241 which relates to the agency’s existing or proposed information
242 technology systems.
243
244 Such records shall be available to the Auditor General, the
245 Division of State Technology within the department, the
246 Cybercrime Office of the Department of Law Enforcement, and, for
247 state agencies under the jurisdiction of the Governor, the Chief
248 Inspector General. Such records may be made available to a local
249 government, another state agency, or a federal agency for
250 information technology security purposes or in furtherance of
251 the state agency’s official duties. This exemption applies to
252 such records held by a state agency before, on, or after the
253 effective date of this exemption. This subparagraph is subject
254 to the Open Government Sunset Review Act in accordance with s.
255 119.15 and shall stand repealed on October 2, 2021, unless
256 reviewed and saved from repeal through reenactment by the
257 Legislature.
258 (6)(5) The portions of risk assessments, evaluations,
259 external audits, and other reports of a state agency’s
260 information technology security program for the data,
261 information, and information technology resources of the state
262 agency which are held by a state agency are confidential and
263 exempt from s. 119.07(1) and s. 24(a), Art. I of the State
264 Constitution if the disclosure of such portions of records would
265 facilitate unauthorized access to or the unauthorized
266 modification, disclosure, or destruction of:
267 (a) Data or information, whether physical or virtual; or
268 (b) Information technology resources, which include:
269 1. Information relating to the security of the agency’s
270 technologies, processes, and practices designed to protect
271 networks, computers, data processing software, and data from
272 attack, damage, or unauthorized access; or
273 2. Security information, whether physical or virtual, which
274 relates to the agency’s existing or proposed information
275 technology systems.
276
277 For purposes of this subsection, the term “external audit” means
278 an audit that is conducted by an entity other than the state
279 agency that is the subject of the audit.
280 (7) Those portions of a public meeting as specified in s.
281 286.011 which would reveal records that are confidential and
282 exempt under subsection (5) or subsection (6) are exempt from s.
283 286.011 and s. 24(b), Art. I of the State Constitution. No
284 exempt portion of an exempt meeting may be off the record. All
285 exempt portions of such meeting shall be recorded and
286 transcribed. Such recordings and transcripts are confidential
287 and exempt from disclosure under s. 119.07(1) and s. 24(a), Art.
288 I of the State Constitution unless a court of competent
289 jurisdiction, after an in camera review, determines that the
290 meeting was not restricted to the discussion of data and
291 information made confidential and exempt by this section. In the
292 event of such a judicial determination, only that portion of the
293 recording and transcript which reveals nonexempt data and
294 information may be disclosed to a third party.
295 (8) The Such portions of records made confidential and
296 exempt in subsections (5), (6), and (7) shall be available to
297 the Auditor General, the Cybercrime Office of the Department of
298 Law Enforcement, the Division of State Technology within the
299 department, and, for agencies under the jurisdiction of the
300 Governor, the Chief Inspector General. Such portions of records
301 may be made available to a local government, another state
302 agency, or a federal agency for information technology security
303 purposes or in furtherance of the state agency’s official
304 duties. For purposes of this subsection, “external audit” means
305 an audit that is conducted by an entity other than the state
306 agency that is the subject of the audit.
307 (9) The exemptions contained in subsections (5), (6), and
308 (7) apply This exemption applies to such records held by a state
309 agency before, on, or after the effective date of this
310 exemption.
311 (10) Subsections (5), (6), and (7) are This subsection is
312 subject to the Open Government Sunset Review Act in accordance
313 with s. 119.15 and shall stand repealed on October 2, 2025 2021,
314 unless reviewed and saved from repeal through reenactment by the
315 Legislature.
316 (11)(6) The department shall adopt rules relating to
317 information technology security and to administer this section.
318 Section 2. (1)(a) The Legislature finds it is a public
319 necessity that the following data or information held by a state
320 agency be made confidential and exempt from s. 119.07(1),
321 Florida Statutes, and s. 24(a), Article I of the State
322 Constitution:
323 1. Portions of records held by a state agency which contain
324 network schematics, hardware and software configurations,
325 encryption, or which identify detection, investigation, or
326 response practices for suspected or confirmed information
327 technology security incidents, including suspected or confirmed
328 breaches, if the disclosure of such records would facilitate
329 unauthorized access to or the unauthorized modification,
330 disclosure, or destruction of:
331 a. Data or information, whether physical or virtual; or
332 b. Information technology resources, which include:
333 (I) Information relating to the security of the agency’s
334 technologies, processes, and practices designed to protect
335 networks, computers, data processing software, and data from
336 attack, damage, or unauthorized access; or
337 (II) Security information, whether physical or virtual,
338 which relates to the agency’s existing or proposed information
339 technology systems.
340 2. Portions of risk assessments, evaluations, external
341 audits, and other reports of a state agency’s information
342 technology security programs, if the disclosure of such portions
343 of records would facilitate unauthorized access to or the
344 unauthorized modification, disclosure, or destruction of:
345 a. Data or information, whether physical or virtual; or
346 b. Information technology resources, which include:
347 (I) Information relating to the security of the state
348 agency’s technologies, processes, and practices designed to
349 protect networks, computers, data processing software, and data
350 from attack, damage, or unauthorized access; or
351 (II) Security information, whether physical or virtual,
352 which relates to the agency’s existing or proposed information
353 technology systems.
354 (b) Such records must be made confidential and exempt from
355 public records requirements for the following reasons:
356 1. Portions of records held by a state agency which contain
357 network schematics, hardware and software configurations,
358 encryption, or which identify information technology detection,
359 investigation, or response practices for suspected or confirmed
360 information technology security incidents or breaches are likely
361 to be used in the investigations of the incidents or breaches.
362 The release of such information could impede the investigation
363 and impair the ability of reviewing entities to effectively and
364 efficiently execute their investigative duties. In addition, the
365 release of such information before an active investigation is
366 completed could jeopardize the ongoing investigation.
367 2. An investigation of an information technology security
368 incident or breach is likely to result in the gathering of
369 sensitive personal information, including identification numbers
370 and personal financial and health information. Such information
371 could be used to commit identity theft or other crimes. In
372 addition, release of such information could subject possible
373 victims of the security incident or breach to further harm.
374 3. Disclosure of a record, including a computer forensic
375 analysis, or other information that would reveal weaknesses in a
376 state agency’s data security could compromise that security in
377 the future if such information were available upon conclusion of
378 an investigation or once an investigation ceased to be active.
379 4. Such records are likely to contain proprietary
380 information about the security of the system at issue. The
381 disclosure of such information could result in the
382 identification of vulnerabilities and further breaches of that
383 system. In addition, the release of such information could give
384 business competitors an unfair advantage and weaken the security
385 technology supplier supplying the proprietary information in the
386 marketplace.
387 5. The disclosure of such records could potentially
388 compromise the confidentiality, integrity, and availability of
389 state agency data and information technology resources, which
390 would significantly impair the administration of vital state
391 programs. It is necessary that this information be made
392 confidential in order to protect the technology systems,
393 resources, and data of state agencies.
394 6. It is valuable, prudent, and critical to a state agency
395 to have an independent entity conduct a risk assessment, an
396 audit, or an evaluation or complete a report of the agency’s
397 information technology program or related systems. Such
398 documents would likely include an analysis of the agency’s
399 current information technology program or systems which could
400 clearly identify vulnerabilities or gaps in current systems or
401 processes and propose recommendations to remedy identified
402 vulnerabilities.
403 (2)(a)1. The Legislature also finds that it is a public
404 necessity that those portions of a public meeting which would
405 reveal data and information described in paragraph (1)(a) be
406 made exempt from s. 286.011, Florida Statutes, and s. 24(b),
407 Article I of the State Constitution.
408 2. Such meetings must be made exempt from open meetings
409 requirements in order to protect agency information technology
410 systems, resources, and data. This information would clearly
411 identify a state agency’s information technology systems and its
412 vulnerabilities and disclosure of such information would
413 jeopardize the information technology security of the state
414 agency and compromise the integrity and availability of state
415 agency data and information technology resources. Such
416 disclosure would significantly impair the administration of
417 state programs.
418 (b)1. The Legislature further finds that it is a public
419 necessity that the recordings and transcripts of the portions of
420 meetings specified in subparagraph (a)1. be made confidential
421 and exempt from s. 119.07(1), Florida Statutes, and s. 24(a),
422 Article I of the State Constitution.
423 2. It is necessary that the resulting recordings and
424 transcripts be made confidential and exempt from public record
425 requirements in order to protect state information technology
426 systems, resources, and data. The disclosure of such recordings
427 and transcripts would clearly identify a state agency’s
428 information technology systems and its vulnerabilities. This
429 disclosure would jeopardize the information technology security
430 of the agency and compromise the integrity and availability of
431 state data and information technology resources, which would
432 significantly impair the administration of state programs.
433 (3) The Legislature further finds that these public meeting
434 and public records exemptions must be given retroactive
435 application because they are remedial in nature.
436 Section 3. This act shall take effect upon becoming a law.
